Incident Response

Analytical lifting, how Olympic Weightlifting helped with my IR workflows/analysis

m0rt0n86Leave a comment

Don’t worry I am not going to make this a #dfirfit post with lifts and all of that but wanted to share how my Olympic Weightlifting (which is “technical” in the sense of movements/positioning and mindset) helped strengthen my IR workflows/analysis when I have investigating. Now I am not saying everyone should go lift and they will magically be a better at their job (though it could help with stress and other things, but that is not the point here). Just wanted to share some personal experience and something I noticed after some time off from lifting due to my chronic health issues. Before anyone ask why I lift this way versus just general strength and conditioning it just happens to be a form a movement I enjoy (granted its a love/hate relationship) and I also do enjoy the competition aspect of it as well… Just don’t tell my anxiety that but also at the same time I use it as a tool to work on that

Now why be analytical with this? as someone that is mostly a remote athlete I sort of had to as I do not get direct feed back like I would if I was at my gym lifting (Don’t worry I do record lifts and send them to my coach and do try and make the commute out to the gym when I am feeling good). As I’ve developed a connection with how my body is moving from yoga even before I started lifting so I had a slight advantage per say. You will get to a point when you can feel that your weight is shifted to a pinch foreword or you transitioned from your first pull to your second pull a pinch earlier than normal. A lot of this is just minor variations that happen in a lift and most of the time the faults come from when you first start pulling the bar of the ground and next time you know you have a learning opportunity for your next lift/session. It’s these small little details you need to pay attention to and feel and you work on rep after rep after rep and also doing accessory movements and prehab for imbalances you might discover you have/ares you need some work at.

Ok I bet you might be wondering what the hell any of that means if you don’t lift or how that ties into not even incident response but just general analysis (or to keep it “cyber” a SOC analyst). Well I’ll break it down into nice little bullet points of things that helped me along the way and to help make sense of the things I noted above and take what you want from it. Maybe it might help you realize that hobbies you enjoy could still help you with skills you might need in your “9-5”.

  • First and foremost, You will make mistakes and you will “miss lifts”
    • Tying the miss lifts in you will miss read a log/data set, might think an alert is a false positive, or go down the rabbit hole analyzing trace data/mft and try and follow the “bad thing” only to find that it was just either an IT background script or just the way a peice of software worked and be a false positive after all. This is hard concept as no one likes to be wrong, no one likes to miss when it comes to lifting (or to bomb out at a meet, aka not make any lifts at a meet) or because something was missed a P4/P3 incident turns into a P2/P1. No one is perfect (good luck telling that to use of ADHD/Anxiety…which is a hole other subject). You will make mistakes it is how to take them and if you like them beat you down or take them for what they are, something to learn from and grow. I know back when I was doing engineering the joke always was if you don’t take down prod once, are you even a sys admin/engineer? Well I attempted to patch and update the SIEM at my old job and it was down for a month…talk about a “learning experience”. Now obviously there are situations that can be more dramatic and hit harder (ie ransomware) but feel that shittyness for a bit (because feeling emotions is good as I am learning) but you need to noticed that weakness and make it an area to work on, talk with your manager/leadership about training or going outside of work for mentorship/guidance on it, research it and come back better for it after you get some “reps” in. but for a TL’DR don’t quit because you missed, make it something you can learn from and grow and reconise when you are falling back into bad habbits
  • Successories…aka accessories movements..aka training/research
    • I know I mentioned with the main lifts you are doing rep after rep after rep which gets you strong in those positions and gets you to feel things for your core lifts or core job/skills for job. If there is one thing I have learned from both of these is you can always learn something. Technology is always changing so you need to do what you can (not burn yourself out in the process) but make time if you can for doing accessory’s or trying that can help out with your primary job function even if it is just a different way of doing one of the task. In a weightlifting approach it might be doing clean pulls or snatch deadlifts, it’s not a full snatch or clean but helps us work on those positions we need to get stronger at for core skills. This would also be doing CTFs/Labs with different tools that you might not be used to using. Another example would be hamstring curls, pull ups, farmers carries, or even curls to hit weak spots that will help with the main lifts this might be learning a specific function of a tool better or learning how to write more complex detection’s/queries, or just general researching malware/vulnerabilities that have been affecting $employer. Again the purpose of these are not to burn you out or lead to more fatigued if you are having an off day, pull these back or skip them. Also if you cane get $employeer to help with this, and get leadership support, awesome! I am also not saying to go buy subscriptions to every place too follow the KISS methodology about it and if you noticed an area bring it up and try to work on it when you can. Which also ties into the first point I made about not giving up because you made a mistake or weren’t perfect about it. Before I forget this can also be soft skills too (Lets be real, most of us also need to work on writing reports/documentation…)
  • Communication is key
    • Not just the external communication but also internal…listening to your body and how you are feeling. You might have days were you had some personal/family stuff going on (or in my case chronic health issue) and just are not feeling it, having issues with simple task (which can be frustrating and again lead to point number 1 and why I made it the first point). Talk to your peers/managers/leaders or in a lifting sense your coach. You might need a day or two with pulled back responsibilities or even need to take some mental health/”sick” days to recharge a bit (this also does not make you weak FYI). If you don’t tell anyone what is going on no one will know and can help. You are just going to push though and while it might not lead to a physical injury like with lifting it will likely lead to burnout or just emptying your..umm..f’s to give which leads to mistakes and can start a negative cycle really quick. This also leads to the prehab stuff as if you have something that is nagging its going to make things harder so work on addressing by communication and building a network/support system to help with those nagging issues can get you back on track along with sucesories. Being honest this is still an area I am working to improve on but still wanted to include it
  • Slow is smooth and smooth is fast…positions
    • AKA workflow. Not talking about IR playbooks or anything like that but how you move though your work ie how scope out/triage an alert/event/detection, how your handle endpoint investigations, or log analysis. Some certifications or blogs will tell you a way to do it, much like there are defaults/standard form for lifts but you need to make adjustments as someone that is 6’2″ my start with lifting or position is not going to be the same as someone that is 5’2″ (lets also leave mobility out of its too..) You need to find the methods that work for you and almost make them clock work and get good at feeling for them or the timing in a sense (aka when you need to pivot to another dataset or how you handle investigation). Obviously laws, regulation, or policy might dictate the end results (ie how things need to be noted on evidence/chain of custody, templates for reports) but making the bulk of it work for you and your mind works and likes to “move” or handle things will only aid you and make the bulk of the work flow better and lead to less jumping around and help with interpreting/automating things which can also help if you actually do have the ability to build out automation via playbooks with SOAR, Jupyter notebooks or other functionality like that

I was going to make this a bullet but since it ties into the first bullet with networking/mentorship and communication but getting a coach versus trying to do it all on your own can help with. Also try and have fun…I know some days are going to suck and be hard but try to enjoy it the best you can. This isn’t your life it is just a piece of it. I know there is the push of grind culture and if that works for you cool. But personality I know when I am on my death bed or when my time comes I would rather be remember as someone that did the work and had some passion but was still human and a decent person versus no one being there but hey they caught an alert that stopped APT 29 or only lived to lift..

Take from this what you can I know some of the lifting analogy might not fully work for some but really this has been on my mind for a little while now and felt like writing about it. I’m sure I might need to make some updates down the road but this was a lot more mentally fatiguing than I thought it would be. Maybe I should of gotten on my soap box and ranted and saved this for a rainy day, but I found it interesting how hobbies and other things helped my in my career development and might help others tie in hobbies and other activities and see how the lessons learned can help build in other areas.

So long and thanks for the Response: why are we skipping post incident activities

m0rt0n86Leave a comment

While re-going though some Incident response topics with Security Blue Team, Cybary and LinkedIn Learning there was a common thread that they all had if they were going though NIST 800-61 (or even SANS standards) was NOT to skip the post incident activities. business is back up right? who cares? we got it all solved so post incident activities means going out to the local watering hole and having an adult beverage or six. That is what you mean right? No. not at all (although if you wanted to post post incident activities I guess this could work)

Now your might be thinking why well if your are a fan of standards/frameworks (If you are in Cyber you probably are since you do have compliance you need to meet among other things) there is this hole step that can also improve the process for next time, as it is going to happen as someone is going to have an off day and click yet another link to make your life full of fun. Also you wouldn’t hire a Pen-testing firm to come in and not review the findings and look for ways to improve the organizations security posture? You wouldn’t do Red team/purple team engagement with tools like Red Canary’s “Atomic Red Team” or MITRE Caldera would you? If not what are you really getting out of it other than doing a task to check the box for something which is not going to do anything to help you or the org (except maybe if you want to give yourself a gold star). You use these tools and skills to look at oversights, detection/alerts that are missing or not as clear. Which you would work to fix and to help your cause you could map this to ATT&CK/Shield (as we all know leaderships likes charts and frameworks are super helpful for some).

So the question is, we make time for that? why are we not making time for the post incident review? I get it. its another round table, another day potently spent going over process/procedures but if it makes your security posture better by looking at the things you would with a Pen-Test or purple teaming, why skip out on it. It’s like stomping out a fire without making sure it’s embers are fully out. In this case you don’t improve the response to a particular incident guess what happens? those embers (incident) rises into a flame and next thing you know you are dealing with a similar incident responding in the same way. Did that really work? sure you put out the big fire, but you did not ensure it was fully out because you are still getting hit in the same way you did before. now if your org is not giving you the time or capabilities to fully put out the fire, you probably do not have full management buy in into your incident response program as that should be the priority for those on the Computer Emergency Repose Team (CERT/Cyber Security Incident Response Team (CSIRT) when facing an incident.

I do understand that most are working with limited business and that security is just a coast center (unless you are an MSSP or something among those lines). but how can the business really function under normal operations if you still have kindling flames of incidents (attack vectors that your IR plan/policy lacks coverage for) if you are constantly wasting time going back to “remediating” and leaving it at that. Maybe its the military and having to instruct a few classes that thought me the importance of After Action Reviews (AAR) but not doing that security incidents and then wondering why you are dealing with the same attacks over and over again fits the definition of insanity (doing the same thing over again and expecting a different result). Doubly so if the business gets effected by this time after time, you would think they would want it to be prevented to prevent any bad publicity and having to issues statements over and over again.

Taking the time to try and close the gap with post incident activities ensure senior leadership understand that this is apart of the process and ensure that it is the plan/policy. if they do not want to listen and want you to move on to other things remind them of their buy in/enforcement. If not, use ethics committees and other tools to ensure policies/plans/procedures are being enforced and allowed to be followed though to the end, the very end. At the end of the day this is to better the security posture to allow an org to keep operations up by having plans in place to avoid shutting down production due to a cyber incident that effects the CIA triad.

I know not every org is like this, but when going though videos and other training the theme that always seems to be around is “DO NOT SKIP THE POST INCIDENT ACTIVITIES” there is defiantly something up with the industry and something we need ensure we are doing. Along with doing IR exercises (if you want some gamification of IR tabletops look at Black Hills Information Security Backdoors and Breaches card game) But I’ll save that for another time.